Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.

Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.

Impact: A remote attacker may cause an unexpected application termination of cupsd

Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.

Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html [adobe.com] Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).

*

ImageIO

CVE-ID: CVE-2009-2285

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

You can mostly avoid using Flash with Youtube. Many of the videos can now be viewed with H.264 so you don't need Flash there either.

Honestly I find very few sites that I need to enable Flash to view. Most of the sites that require Flash are annoying anyways and I'm glad to avoid them. A lot of sites want iPhone users to be able to view them and so they provide a non-Flash fallback that is a lot more usable than their main Flash page.

You wouldn't need Flash at all if Youtube would stream one of the many open standards.HTML 5 addresses it, but Youtube is pretty cozy to Adobe.It wasn't always that way... back in the day, you could get streaming video with HARDWARE acceleration.CPU accel is not a big deal on most desktops, but with the new low-wattage Ion/Intel combos or ARM CPUs, it really does matter.

Really? I've gone without Flash on my work PC for three months, and the only things it stops me from using that I actually care about are funny videos that people send around the office, and the web site of the company that made the hardcore orange juicing machine in the kitchen (we'd lost the manual). Most of the stuff that's actually useful doesn't need Flash.

Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?

Face it, Apple is way less secure than Windows.

There were also vulnerabilities in the Windows version. They were patched by Adobe a couple of months ago. Adobe just released the Mac version of the updates. Again, blame Adobe for being late to patch Flash for Mac, not Apple.

Apple is not patching Flash, they are just pushing out the latest version from Adobe since Flash is part of the default install for Mac OS X.

You might want to actually do some research before you make baseless accusations but I guess that's why you hide behind the "Anonymous Coward" f

The most concerning is the TIFF vulnerability; fortunately that's a 10.5 issue, not a 10.6 issue. The second most concerning is the SSL vulnerability, but I've not trusted SSL alone for a while now. Still tossing up throwing out Firefox's trust anchor code and replacing it with an SSH style known-hosts setup... but the FF code is a total dog to work with. And I don't care. Mostly, I guess, I don't care. Thank you, my bank, for two-factor aut

It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

It's viruses that are only possible on Windows. All operating systems have security holes, but only Microsoft systems get viruses. The Apple commercials very clearly refer only to viruses. The PC sneezes and acts like he has a cold, he's caught something, and the Mac can't catch it from him, he's immune to the viruses. Security holes are not covered at all.

Welcome to marketing spin. At least in apple's case, they have real world usage stats to back it up. Microsoft's "most secure windows ever" bullshit is generally spouted on OS release, with no historical evidence.

Note that end users don't particularly care if "in theory" an OS is less secure, so long as THEY don't end up getting owned, they don't really care about the theory of it all.

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

A few years ago, when Microsoft's Windows source code was leaked, a hacker found a problem in the handling of the standard BMP format (IIRC, it was an integer that was not considered signed, and it contained the size of the picture), which could allow arbitrary code execution.

What bothers me is that Apple's developers don't check if they have the same problems as their direct competitor.

Actually, if you are debugging an image parser library, I advocate commenting out all the obvious fails (like, this file doesn't have the right magic number, it's not a GIF) and then feeding the thing pure random data, seeing how it handles it. You never know what kind of bug might turn up. Of course you'll want the non-random random data as well, but the random random stuff is useful.

These sophomoric no-input-sanitization errors are the most common kind. didn't apple make one before with the iPhone and SMS or something? We've seen cellphones that don't check to make sure bluetooth data is valid. Firewire is a big mess because the hardware permits access to things it shouldn't.

I don't know if you've ever written an image parser before, but sanitizing the data before you parse it can be really hard. If you think about it, the data itself can be almost random, considering a picture can be almost anything. To do a good job validating the data, you would almost have to re-implement the parser itself.

Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.

Actually, I personally found and patched the TIFF bug. In January. Of last year. http://bugzilla.maptools.org/show_bug.cgi?id=1985 [maptools.org]Feeding random data (aka fuzzing) might work, but 99% of the time, I'd imagine it'd just give you a corrupted image and bail out. You have to be clever about how you search for it. I found a known vulnerability patch posted by, of all people, an Apple employee, and tried to reverse engineer what he'd fixed. I found that the patch hadn't been applied on old version of the PSP system software, which is what I was targeting. After messing with this specific attack vector, I noticed that I could still crash system software version that did have the patch. After reading up on LZW compression (which is what part of LibTIFF had the vulnerability) and the TIFF specification of how they implemented LZW, I realized that the Apple patch was incomplete--it only tested for one value you could give it that was erroneous. By simply changing the equality they used (in two places) to an inequality, I tested for all erroneous values. Meanwhile, I tried to exploit the new unpatched vector on the PSP so that I could inject code. Failing this, I decided the best course of action was to submit a bug report to LibTIFF. It might seem a tad unethical to try and exploit the bug before reporting it, but I wasn't trying to exploit in for malicious purposes, and not on a desktop operating system. Regardless, I failed to make it do more than crash the PSP. Surely the best course of action here would be to patch it upstream before anyone else found it. (Incidentally, this "arbitrary execution" this is blown out of proportion. In its current state, it is extremely unlikely that it could provide ANY code execution. Just crashing. Although I don't know if it's IMPOSSIBLE for it to execute code with this vulnerability, it would take a lot of work to get anything valuable out of this. Mostly it's a DoS. They usually just attach "arbitrary execution" when there's even the vaguest possibility for code to be executed, regardless of whether or not such an exploit has been demonstrated.)

It, um, took a while for anyone to notice the patch. In fact, the only reason anyone did notice was because someone found some of the fruit of my research into this bug and then posted a link to the research in a new bug report. Funnily, they created a different patch, which, instead of preventing the infinite loop caused by the erroneous data, just tested to see if the loop was writing out of bounds. Perhaps both approaches should be used together. Defensive programming and all that. Regardless, I noticed this new bug report shortly afterward it was posted and pointed them back to the inexplicably ignored old bug report. Most Linux vendors applied the patch shortly after the new bug report was filed, but Apple lagged by a number of months, until 10.6.2 came out. This update backports the fix into 10.5.x. However, I've found that some projects (such as Qt) are still using ancient versions of LibTIFF that have had numerous bug and security fixes since they were last updated in the projects' trees. While Qt does try to use the system's version of Qt if it can, it's still kind of scary to think about what could happen if it falls back on its own version, as I've seen it do before when I try my "corrupted" TIFF on things like Arora.

Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

Whilst I'm a mac user/fanboi and agree with most of your post - I'm sure there must be some vulnerabilities being exploited for MacOS out there somewhere. It ships with Apache, and a heap of BSD userland tools ffs. I'd say there are no commonly encountered viruses on MacOS... not necessarily NONE.

So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

As a matter of Fact, there ARE viruses for Mac OS X.

OS X uses various parts of the FreeBSD Security Framework and Filesystem.

They have viruses for FreeBSD that base their attacks on those parts, and it has been proven that they work just as well on a Mac as they do on that flavour of Linux.

Just because Mac users are not affected by the hordes of windows viruses that they catch (and yes, Macs catch the same viruses as Windows, they merely can't operate because they were designed to run on Windows) - doesn't

Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.

Actually, no. Both virus and worm are self replicating and propagating without user interaction. The only technical difference is that a virus attaches itself to an existing process, whereas a worm is standalone.

There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.

If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.

It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.

Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.

And yes, there have been many holes found in the various parts of OS X that have been fixed (and some yet to be fixed) but in terms of malware in the wild, there is practically none. There was a disk image that claimed to be Office for Mac on torrent sites that actually ended up deleting your files after you gave it your admin password, and a couple of other proof of concept attacks, but stuff actually out there roaming free in the wild is extremely rare - vanishingly so. I will not say "none" because it is clearly not true, and it allows the possibility of something to emerge, but for all the holes that have appeared in components of OS X, over the course of the life of the OS, no one has demonstrated stuff beyond possibilities.

The TFA does indeed say "could install spyware and delete files" - ie, if the hole is exploited. No one is denying that (and when the hole is closed, they can't) but so far, no one has been able to - the vector for attack has not been there. There was nothing in the wild that exploited some of these holes, and they have been nipped up before anything could be produced.

There are obviously other holes that have yet to be closed - including, as some security people have claimed, ones that have been open and exposed for a very long time (consider the guy who knew of two vulnerabilities and kept one to himself so he could exploit it the next year at the 'break OS X contest'). If that hole was known and vulnerable for a year, where are the in-the0wild exploits actually installing malicious software and keyloggers and so on? The hole was there for a malicious mp4 file, but the malware that exploited it was not.

I'm not not nieve enough to assume or assert that OS X gets a free pass on security, but the prior performance has been good compared to Windows, even with the difference in install base. It's in a similar position to Linux with regard to security holes (and shares holes with some BSD components that the OSS community is also exposed to).

What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.

If you have a user willing to do that, then all bets are off.

The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.

I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??

More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.

The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)

Now to start the debate over which company is more in the business of marketing to stupid people...

You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.

Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every M

One off professional solutions for a cash prize by a ex NSA worker.
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.

This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.

Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS componen

With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection.
Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability)
so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.

Because Safari hasn't been around that long. Even if it contained but that were exploitable since Safari 1.0, it still wouldn't have any vulnerabilities that went unpatched for as long as the one in IE.

Well, except get access to the authentication credentials for my Internet banking site and transfer all of my money to a numbered Swiss account as soon as I log in. Good thing it can't get at my Freecell high scores though...

That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.

You *have* to be a fanboi to post here... you must take a side, there is no fence-sitting allowed on Slashdot.

You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects... look on that path as something like Buddhism.

Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)

Hmm.. I used to hate Microsoft, back when I had to develop for IE6, but with steps in the right direction for IE8 and Windows 7 I'm feeling less hatred and more optimism. I used to have not much of an opinion on Apple, but now I think Apple is my most hated company (somehow they overtook Sony). Google is sort of like a fun uncle who always comes over bringing gifts, but you're not sure if he just does that because he wants to molest you. I gave up on Linux after a terrible experience trying to install De

His point is that you can't take a Windows vulnerability, and write a/. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another/. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.

Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.

Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.

Before you flame, I will say that if you're on/. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.

Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).

If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.

The point? You don't need to run something other than Windows if you want to avoid infection, y

That's a good point, most of the time I don't have a reason to believe that but if I suspect something funny is going on I'll fire up Malwarebytes or something like that to check on it. I've got one or two anti-malware programs installed, I just run them on an as-needed basis instead of constantly scanning.

The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.

That's a good point.

I'm not saying I only browse sites I trust (porn certainly needs to be watched occasionally), but when I'm browsing I'm using either Opera or Chrome, neither of which seem to get targeted. Not using IE (for anything) is actually the #1 security tip I can give to any Windows user. The only time I'll ever run IE is when I'm developing a site in Opera and I want to test it. I've got a toolbar button to open the current page in IE so it doesn't even need to go to its home page or anywhere

Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.

* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. Seems this could crash your audio player.

Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.

The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.

The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve

The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.

That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem.
(I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)

You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.

Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.